KB-5333
T1-Max Review - Package Split
3 min read Revision 1
fix7architecturemax-reviewpackage-splitgates
07 - SUPERTRACK G: Package Split Review (PKG-A..I)
Checks
| check | result |
|---|---|
| package boundaries crisp | PASS - DDL / DATA / rehearsal / read-only proof / create+seal+activate / repoint+neutralize / owner-ACL / freeze+deprecate / verify are distinct |
| no package too broad to review | PASS - each maps to a coherent S-range |
| no package combines object creation + privilege cutover + activation in one step | PASS - PKG-E does create+seal+activate (standing up the plane) but no privilege cutover; repoint (PKG-F) and ACL cutover (PKG-G) are separate |
| no package enters Stage 2.6B | PASS - "Stage 2.6B is NOT a package here" |
| no package opens permit/REAL_RUN/QT001 apply | PASS - all three excluded from every package; PKG-I notes they stay separately gated |
| package no-go conditions machine-checkable | PASS - each PKG carries a concrete no-go |
| package outputs auditable | PASS - SQL files, fixtures, proofs, evidence, snapshots |
| Codex review gates before risky packages | PASS-after-fix (MG-01) - re-audit before PKG-D and PKG-E existed; Max added re-audit before PKG-F and PKG-G |
| operator gates explicit and unbypassable | PASS - who: OPERATOR + per-package permit; no self-escalation |
Finding
MG-01 (P2) - no fresh Codex re-audit before the two governance-change packages
- Pre-Max sequencing placed a fresh Codex re-audit before PKG-D and before PKG-E, but PKG-F (authoritative live repoint + legacy EXECUTE revoke - the exact FIX2..FIX6 failure point) and PKG-G (owner/ACL cutover - strips the directus authority that holds readiness BLOCKED) are the most destructive packages, and a single re-audit before PKG-E covered E->F->G->H as a batch.
- The governing law §4G is decisive here: a governance/authority change (repoint + ACL revoke) "must stop / be explicit", and "may NOT ride under drift-patch auto-allowance" - i.e. it must be independently re-reviewed, never carried as a mechanical continuation of a prior package.
- Fix (doc 07 sequencing + PKG-F/PKG-G preconditions): a fresh Codex re-audit + explicit
operator permit is now required immediately before PKG-F and again before PKG-G. Sequencing:
... PKG-E --[Codex re-audit + permit]--> PKG-F --[Codex re-audit + permit]--> PKG-G -> PKG-H -> PKG-I.
Independent rigor check
The chain now gates every transition into a higher-risk class: read-only proof (D), first apply (E),
authoritative repoint+neutralize (F), authority strip (G) - each behind a fresh independent
re-audit. No package can self-escalate (OPERATOR who + per-package permit). Matches FIX-history
discipline ("fresh independent re-audit before any apply") and law §4G.
Verdict
PACKAGE_SPLIT_PASS_AFTER_FIX - layer-clean, sequenced, no 2.6B/permit/REAL_RUN/apply leakage,
and the two governance-change packages are now each behind a fresh Codex re-audit, not a batched one.